stock-ai-analyzer Security Report — Trusted | ClawSafe

5 /100

stock-ai-analyzer

股票AI分析助手，支持基础分析和增强分析

This is a legitimate stock analysis skill that uses Tushare for financial data and AI models for analysis. All functionality is properly documented with no hidden or suspicious behaviors.

Skill Namestock-ai-analyzer

Duration39.8s

Enginepi

✓

Safe to install

No security concerns. The skill is safe to use as documented.

Findings 2 items

Severity	Finding	Location
Low	Unpinned dependencies Supply Chain No requirements.txt or pyproject.toml found; pandas, numpy, tushare have no version constraints `import pandas, import tushare, import numpy` → Add a requirements.txt with pinned versions (e.g., pandas>=1.5.0, numpy>=1.23.0, tushare>=1.4.0) to ensure reproducible builds	`N/A`
Info	Minor network outbound not explicitly declared Doc Mismatch SKILL.md declares AI model usage but does not explicitly state that prompts are POSTed externally. ai_client.py makes outbound HTTP POST calls to AI endpoints. `export LLM_API_BASE=https://your-endpoint/v1` → Add a note in SKILL.md: 'Analysis prompts are sent to the configured AI endpoint for processing.'	`SKILL.md:39`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	data_fetcher.py:45 - reads .env from cwd only
Network	`READ`	`WRITE`	✓ Aligned	ai_client.py:50,70 - POSTs prompts to AI endpoints; SKILL.md line 39 declares 'A…
Shell	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution found
Environment	`READ`	`READ`	✓ Aligned	ai_client.py reads API keys from os.environ
Skill Invoke	`NONE`	`NONE`	—	No inter-skill invocation detected
Clipboard	`NONE`	`NONE`	—	No clipboard access found
Browser	`NONE`	`NONE`	—	No browser automation found
Database	`NONE`	`NONE`	—	No direct DB access found

3 findings

🔗

Medium External URL 外部 URL

https://tushare.pro

README.md:20

🔗

Medium External URL 外部 URL

https://your-api-endpoint/v1

README.md:38

🔗

Medium External URL 外部 URL

https://your-endpoint/v1

SKILL.md:39

File Tree

9 files · 79.6 KB · 2183 lines

Python 6f · 1826L Markdown 3f · 357L

├─ ▾ 📁 scripts

│ ├─ 🐍 __init__.py Python 1L · 21 B

│ ├─ 🐍 ai_client.py Python 209L · 6.9 KB

│ ├─ 🐍 data_fetcher.py Python 372L · 14.4 KB

│ ├─ 🐍 enhanced_analyzer.py Python 104L · 4.4 KB

│ ├─ 🐍 financial_ratios.py Python 542L · 21.2 KB

│ └─ 🐍 stock_analyzer.py Python 598L · 22.9 KB

├─ 📝 OPTIMIZATION_SUMMARY.md Markdown 170L · 5.2 KB

├─ 📝 README.md Markdown 84L · 1.9 KB

└─ 📝 SKILL.md Markdown 103L · 2.8 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`tushare`	`*`	pip	No	No version constraint specified
`pandas`	`*`	pip	No	No version constraint specified
`numpy`	`*`	pip	No	No version constraint specified

Security Positives

✓ No subprocess, os.system, shell execution, or any form of code execution found

✓ No base64 encoding, obfuscation, or anti-analysis patterns detected

✓ No credential harvesting beyond API keys needed for the service

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env beyond current directory)

✓ No curl|bash or wget|sh remote script execution

✓ No hidden instructions in comments or strings

✓ No data exfiltration or C2 communication detected

✓ No persistence mechanisms (cron, startup hooks, backdoors)

✓ .env file access is scoped to current working directory only (security-conscious design)

✓ AI client gracefully handles missing API keys with user-friendly errors

✓ Clean separation of concerns: data fetching, analysis, AI client are modular

Scan Report

Findings 2 items

File Tree

Dependencies 3 items

Security Positives